Researchers Say Code Reuse Links North Korea's Malware

Following trails of reused code, security researchers at Intezer and McAfee have uncovered new links between malware families attributed to North Korean threat groups and tracked most of the samples to the infamous Lazarus Group.

Code reuse isn’t novel, and many cases where cybercriminals and threat actors employed this technique have been already reported on. In fact, actors operating from the same country have been often observed sharing malware code and infrastructure, which often makes attribution highly problematic.

For security researchers, the reuse of code between different malware families and variations and between one campaign to another means that they can gain insight into the activities of threat actors, and this is exactly what Intezer and McAfee focused on in their recent analysis.

The multiple cyber campaigns attributed to North Korean hackers have been so far focused on two different directions: to raise money or pursue nationalist aims.

Thus there’s a workforce of hackers that focuses on cybercrime activities such as hacking into financial institutions (Unit 180) and another to gather intelligence from other nations and to try to disrupt rival states and military targets (Unit 121).

The researchers focused on the latter and discovered “many overlaps in code reuse,” which led them to the conclusion that nation-state sponsored groups were active in those efforts.

After analyzing thousands of malware samples, many unclassified or uncategorized, the researchers noticed a “significant amount of code similarities between almost every one of the attacks associated with North Korea.”

One similarity was found in the server message block (SMB) module of WannaCry (2017), Mydoom (2009), Joanap, and DeltaAlfa.

The researchers also noticed a similarity between three different remote access Trojans, namely NavRAT, Gold Dragon, and a DLL from the South Korean gambling hacking campaign, all three believed to be affiliated with Group 123 (also tracked as Reaper, APT37, and ScarCruft).

There’s also a connection between the Brambul malware (2009) and KorDllBot (2011), based on code responsible for launching a cmd.exe with a net share. Both malware families are attributed to Lazarus.

The security researchers also discovered a connection between the Tapaoux (or DarkHotel) malware family and samples from Operation Troy.

The code reuse and sharing between various threat groups known to be affiliated with North Korea has revealed that most malware families link back to Lazarus. The only malware that stands apart are the RATs attributed to Group 123, which are linked to one another.

“The malware attributed to the group Lazarus has code connections that link many of the malware families spotted over the years. Lazarus is a collective name for many DPRK cyber operations, and we clearly see links between malware families used in different campaigns,” the security researchers note.

On Thursday, the U.S. Department of Homeland Security (DHS) warned of a new malware variant dubbed KEYMARBLE, which the U.S. government has attributed to malicious cyber activity by the North Korean government. DHS says the malware is a Remote Access Trojan (RAT) capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screenshots, and exfiltrating data. More details on KEYMARBLE are available from the malware report (AR18-221A) from the DHS.